Confused about /var/www contexts
Paul Howarth
paul at city-fan.org
Wed May 28 07:59:10 UTC 2008
Jason L Tibbitts III wrote:
> I'm trying to understand why, on an updated F8 machine with
> selinux-policy-3.0.8-101.fc8.noarch and
> selinux-policy-targeted-3.0.8-101.fc8.noarch, /var/www/blah/cgi-bin
> doesn't end up as httpd_sys_script_exec_t.
>
> semanage fcontext -l says (among many other lines, of course):
> /var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
>
> and yet:
> > sudo restorecon -R -v /var/www
> > ls -lZ /var/www/blah
> drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 cgi-bin/
>
> Am I misinterpreting the semanage output above? Is it possible that
> the following line, which appears earlier in the semanage output, is overriding?
> /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
httpd_sys_content_t is a customizable type and will be left alone by
restorecon unless you use -F. This may change before much longer though,
given that it's easier to manage file contexts using semanage than it
was when customizable types were introduced.
Paul.
More information about the fedora-selinux-list
mailing list